[Zope3-Users] ForbiddenAttribute with defaultView directive

Markus Kemmerling markus.kemmerling at meduniwien.ac.at
Sat Sep 12 11:05:49 EDT 2009 

Hass,

Do you use some version of z3c.layer that's registering standard Zope  
traversers as trusted adapters, like, e.g:

   <adapter
       for="zope.container.interfaces.IItemContainer
            z3c.layer.trusted.ITrustedBrowserLayer"
       provides="zope.publisher.interfaces.browser.IBrowserPublisher"
       factory="zope.container.traversal.ItemTraverser"
       permission="zope.Public"
       trusted="True"
       />

In this case, if you traverse to 'student_object/top.html' the  
ItemTraverser will try to lookup the view:

view = queryMultiAdapter((self.context, request), name=name)

Since the traverser is trusted the view will be looked up with a non- 
security-proxied purchase object. As a result the security  
declarations of your Purchase class will be ineffective.

Try to traverse to 'student_object/@@top.html', i.e. explicitely using  
the 'view' namespace instead of the ItemTraverser's fallback to a view  
lookup.  If I'm right, this will correctly raise a ForbiddenAttribute.

In any case: If you get a ForbiddenAttribute the user permissions are  
not the problem. In the latter case you would get an Unauthorized  
exception.

Regards,
Markus Kemmerling

Am 12.09.2009 um 14:46 schrieb hass:

> Hi,
>
> I have a ZCML declaration like this for the "StudentDisplay" view:
>
> <z3c:pagelet
>     for="..IStudent"
>     name = "top.html"
>     class=".StudentDisplay"
>     permission = "student.edit"
>     layer = ...
> />
>
> <browser:defaultView
>    for = "..IStudent"
>    name = "top.html"
>    layer = ...
> />
>
> In the "StudentDisplay" view I have the following line:
>
> orders = [ purchase.order for purchase in  self.context['orders'] ]
>
> Now, the "purchase" object does not have any security declarations  
> (with
> the "require" directive) and the above line(which is accessing the
> "order" attribute ) should produce a ForbiddenAttribute. However,  
> there
> is something which I don't get.
>
> when I access the  "student_object/top.html" page, I do not get any
> errors and "can" access the "order "attribute of the purchase  
> object. On
> the other hand when I don't explicitly enter the full URL and want to
> take advantage of the defaultView directive ( when accessing
> "student_object/"  ), there is a ForbiddenAttribute.
>
> The user is the same and has the exact same permissions.
> Can anyone please explain  to me this behavior.
> Thankyou!
> Hass
>
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> https://mail.zope.org/mailman/listinfo/zope3-users
>

More information about the Zope3-users mailing list